GDPR and Social Surveys The Opportunities in Practice 14 January - - PowerPoint PPT Presentation

gdpr and social surveys
SMART_READER_LITE
LIVE PREVIEW

GDPR and Social Surveys The Opportunities in Practice 14 January - - PowerPoint PPT Presentation

Apr 11, 2024 377 likes •598 views

GDPR and Social Surveys The Opportunities in Practice 14 January 2019 Debrah Harding Managing Director MRS Agenda Topics Overview of GDPR - legislative framework - impact of Brexit - reminder of some key concepts Public interest research

slide-1
SLIDE 1

GDPR and Social Surveys

The Opportunities in Practice

14 January 2019

Debrah Harding Managing Director MRS

slide-2
SLIDE 2

Agenda Topics

Overview of GDPR

  • legislative framework
  • impact of Brexit
  • reminder of some key concepts

Public interest research

  • definition of public interest
  • who can undertake research in the public interest
  • using public task as a ground for processing

Scientific and statistical research

  • collecting special category data

Research exemption

  • data subject rights
  • adaptions to the data protection principles
slide-3
SLIDE 3

Objectives for Today

To help you and your colleagues:

  • Increase awareness of the legal privacy and data framework

for research

  • Identify differences between GDPR, the Data Protection Act

(DPA) 2018 for research, specifically for public interest and scientific research

  • Highlight key actions for researchers to ensure GDPR and

DPA 2018 compliance

  • Update on new research sector guidance
slide-4
SLIDE 4

Some context: Regulation v. national law

Previous privacy framework was a Directive: Each EU state has own law and own interpretation GDPR is a directly applicable Regulation: GDPR is the same in each Member State…but Member States can legislate on specific areas or activities which are subject to ‘derogations’ Research is a derogation Need to understand GDPR plus relevant domestic legislation: In the UK the Data Protection Act 2018

slide-5
SLIDE 5

Some context: Brexit

  • GDPR has applied since 25th May 2018
  • The UK Data Protection Act 2018 received Royal Assent in May

2018 to bring GDPR into national law

  • New draft legislation – The data protection, privacy and electronic

communications (amendments etc.) (EU exit) regulations 2019 – has also been prepared to ensure that the data protection legal framework continues to function after Brexit

  • New legislation amends the Privacy & Electronic Communications

Regulations 2003 (PECR) and the DPA18, and introduces the “UK GDPR”

slide-6
SLIDE 6

The Regulators

In the UK Information Commissioner’s Office (ICO) regulates the Data Protection Act 2018 In the EU the European Data Protection Board (EDPB) regulates the GDPR – after March 2019 ICO will no longer be part of EDPB For EU cross border complaints where UK citizens or UK business involved…not clear yet what will happen

slide-7
SLIDE 7

Pseudonymised Dataset Anonymised Dataset

De- identified Data Unique identifier

e.g. Name e.g. Postcode

e.g. Health information

Non- identifiable data Personal Dataset

Some Concepts: 3 Types of Data

slide-8
SLIDE 8

Some concepts: Obligations

Data Controller(s) Data Processor But also similar

  • bligations
  • Lead responsibility
  • Direct responsibilities e.g.

Required to conduct DPIA; Point

  • f contact for individuals; Audit
  • f DP responsibilities
  • Contractual obligations
  • Direct responsibilities
  • Contractual obligations e.g. seek

approvals e.g. to appoint sub- processor or data transfers out of EEA

  • Appointment of DPO; record-

keeping; technical and

  • rganisational measures; privacy

by design and default, lawful basis for processing; data breach notification

slide-9
SLIDE 9

Key concept: Processing research data

Options available for research processing: Consent - specific, informed and freely given consent through clear affirmative action Legitimate interest - based on reasonable expectations and provided does not override the rights of individuals (research is a compatible purpose) Public interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller Other grounds - such as: contract; compliance with legal obligation; vital interests of data subject

slide-10
SLIDE 10

Public Interest Research – the what

  • Public interest not defined in GDPR or UK DPA18
  • Specific ICO guidance for freedom of information and environmental

information regulations plus public law proceedings via the UK courts

  • ONS Research Code of Practice and Accreditation Criteria (developed

for the Digital Economy Act)

  • Broad understanding:
  • public interest represents collective interests
  • promotes wider values than purely economic or market issues
  • takes account of all including citizens
slide-11
SLIDE 11

Public Interest Research – the who

  • Public task as a processing ground for research
  • Processing is necessary for…
  • the performance of a task carried out in the public interest;
  • r in the exercise of official authority vested in the controller
  • For a public task which is in the public interest the controller must be

a public authority

  • Must be based on authority in law but includes organisations with

research as an incorporated or statutory purpose e.g. NHS, universities

slide-12
SLIDE 12

Public Interest Research – the process

Does the underlying task, function or power have a clear basis in law? What is the public interest being pursued? Is the processing necessary for the public interest? Do the data subject’s rights override the public interest text being pursued?

slide-13
SLIDE 13

Public Interest Research – in practice

  • HMRC collects extensive personal data provided largely for the

purposes of tax assessment and collection.

  • If HMRC wishes to carry out research that is directly related to

improving how HMRC carries out its functions it could do so under the “public task” processing conditions – rather than other conditions such as informed consent

  • However HMRC could still decide to follow other processing grounds,

such as informed consent, due to wider research and ethical considerations

  • Such considerations and decisions must be documented to

demonstrate why an approach was selected and on what basis

slide-14
SLIDE 14

Public Interest and Scientific Research – the data

  • DPA18 has additional specific conditions for “substantial” public

interest research, separate from a public task, which is for:

  • Archiving purposes in the public interest
  • Scientific or historical research purposes
  • Statistical purposes
  • To use the specific conditions:
  • Necessary for archiving purposes, scientific or historical research

purposes or statistical purposes

  • Is in the public interest
  • DPA18 sets out an extensive list of specific activities deemed to

meet substantial public interest

  • Still need to have a legal ground for processing personal data
  • Can use this to process ‘special category data’ without consent

assuming all other conditions are met (necessary, with appropriate safeguards, meets the public interest test)

  • The controllers for this could be public or private in order to use these

conditions

slide-15
SLIDE 15

Public Interest and Scientific Research – in practice

  • Special category data (race, ethnicity, religion etc.) and/or criminal

convictions data may be collected as demographic data for research classification purposes

  • The data might also be collected for equal opportunities monitoring
  • If the latter, which is substantially in the public interest, the public

interest and scientific research conditions can be used

  • Such data could be collected by either public or private organisations;

the condition will apply irrespective of the type of controller collecting the data

slide-16
SLIDE 16

Research exemption

  • Personal data that are processed for scientific or historical research

purposes or statistical purposes or archiving purposes in the public interest have access to a research exemption; and there is no need to undertake a public interest test except for archiving

  • The exemption recognises the importance of personal data in

providing a strong science base, ensuring quality and reliability

  • It is not an automatic exemption. To use it controllers must consider:
  • Necessity of processing
  • Extent to which full compliance would impair research processing
  • Appropriate safeguards must be met which includes:
  • Not for measures or decisions with respect to particular data

subject

  • No likelihood of substantial damage or substantial distress
  • Other requirements such as technical and organisation measures still

required plus any resulting research results must be published

slide-17
SLIDE 17

Research exemption

  • What it means:
  • Exemptions and exceptions from certain data subject rights such

as objecting to processing, restricting processing and data rectification

  • Exceptions from provisions on the right to be informed and the

right to erasure

  • Limits the application of the purpose and storage limitation so

data can be used for other research purposes, kept for longer periods

  • Some isolated transfers outside the EEA if to increase knowledge
  • Some limitations on the right of data access if disproportionate

effort

  • Longitudinal projects, cohort studies, multiple wave research projects

– projects where there is a need to keep data for a long time, and/or have information about participants for a long time – might find the research exemptions of most use

slide-18
SLIDE 18

Before you start

  • Accountability
  • Am I controller or a processor?
  • What are my responsibilities?
  • Do I have the appropriate

measures in place?

  • Purpose:
  • Is this a research project?
  • What kind of research project?
  • Is it public interest research?
  • Is it scientific research?
  • Legal bases for processing:
  • Which legal bases will I use for

processing?

  • Consent? Legitimate interest?

Public interest? Contract?

  • Data
  • What data will I be using?
  • Can I use the data?
  • What data will I be collecting?
  • Will I need a processing condition

to collect special category data?

  • Exemptions
  • Does the research exemption

apply?

  • Do I want to use the research

exemptions?

  • Risks
  • What are the risks?
  • What is the likelihood of risks?
  • Have I taken appropriate steps to

mitigate the risks?

slide-19
SLIDE 19

MRS guidance & awareness

Guidance

  • MRS EFAMRO ESOMAR Guidance Note on Research Sector – Legal Bases (June

2017)

  • MRS GDPR Guidance Notes: legal grounds, controllers and processors
  • GDPR In Brief: 9 GDPR topics covered to date
  • Data Protection & Market Research: Guidance for MRS members (February 2018;

April 2018)

Live and Recorded Webinars

  • GDPR Masterclasses: organisational accountability and transparent research
  • MRS AURA Client Side Research (November 2017)
  • RAS GDPR (March 2018)
  • Off the Starting Blocks (March 2018)

Events

  • Regular MRS Training
  • Association events
  • Company Partner Briefings (Ongoing)
slide-20
SLIDE 20

New Guidance

  • MRS and SRA working together
  • Producing new guidance for social research
  • Will cover in depth the public interest and statistical research options
  • Drafted and being refined in consultation with the ICO
  • To be issued soon in 2019
  • Webinar and/or event to support launch
slide-21
SLIDE 21

Thank you Any questions?